svn commit: r295003 - in vendor-crypto/openssl/dist-1.0.1: . apps crypto crypto/aes crypto/bio crypto/bn crypto/camellia crypto/des crypto/dsa crypto/dso crypto/ec crypto/engine crypto/evp crypto/r...
Jung-uk Kim
jkim at FreeBSD.org
Thu Jan 28 18:44:17 UTC 2016
Author: jkim
Date: Thu Jan 28 18:44:11 2016
New Revision: 295003
URL: https://svnweb.freebsd.org/changeset/base/295003
Log:
Import OpenSSL 1.0.1r.
Added:
vendor-crypto/openssl/dist-1.0.1/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
vendor-crypto/openssl/dist-1.0.1/util/pod2mantest (contents, props changed)
Modified:
vendor-crypto/openssl/dist-1.0.1/ACKNOWLEDGMENTS
vendor-crypto/openssl/dist-1.0.1/CHANGES
vendor-crypto/openssl/dist-1.0.1/Configure
vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade
vendor-crypto/openssl/dist-1.0.1/INSTALL
vendor-crypto/openssl/dist-1.0.1/LICENSE
vendor-crypto/openssl/dist-1.0.1/Makefile
vendor-crypto/openssl/dist-1.0.1/Makefile.org
vendor-crypto/openssl/dist-1.0.1/NEWS
vendor-crypto/openssl/dist-1.0.1/README
vendor-crypto/openssl/dist-1.0.1/apps/engine.c
vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c
vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c
vendor-crypto/openssl/dist-1.0.1/apps/speed.c
vendor-crypto/openssl/dist-1.0.1/apps/x509.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes.h
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cbc.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cfb.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_core.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ctr.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ecb.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ige.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_locl.h
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_misc.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ofb.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_x86core.c
vendor-crypto/openssl/dist-1.0.1/crypto/bio/bio.h
vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_bio.c
vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_conn.c
vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_dgram.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/exptest.c
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.c
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.h
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cbc.c
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cfb.c
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ctr.c
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ecb.c
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_locl.h
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_misc.c
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ofb.c
vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_utl.c
vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.c
vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.h
vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old2.c
vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ossl.c
vendor-crypto/openssl/dist-1.0.1/crypto/dso/dso.h
vendor-crypto/openssl/dist-1.0.1/crypto/dso/dso_dl.c
vendor-crypto/openssl/dist-1.0.1/crypto/dso/dso_dlfcn.c
vendor-crypto/openssl/dist-1.0.1/crypto/dso/dso_lib.c
vendor-crypto/openssl/dist-1.0.1/crypto/ec/ectest.c
vendor-crypto/openssl/dist-1.0.1/crypto/engine/eng_all.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_camellia.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_old.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_seed.c
vendor-crypto/openssl/dist-1.0.1/crypto/mem_clr.c
vendor-crypto/openssl/dist-1.0.1/crypto/o_dir.c
vendor-crypto/openssl/dist-1.0.1/crypto/o_dir.h
vendor-crypto/openssl/dist-1.0.1/crypto/o_dir_test.c
vendor-crypto/openssl/dist-1.0.1/crypto/o_str.c
vendor-crypto/openssl/dist-1.0.1/crypto/o_str.h
vendor-crypto/openssl/dist-1.0.1/crypto/o_time.c
vendor-crypto/openssl/dist-1.0.1/crypto/o_time.h
vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h
vendor-crypto/openssl/dist-1.0.1/crypto/rc4/rc4_utl.c
vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_chk.c
vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_sign.c
vendor-crypto/openssl/dist-1.0.1/crypto/seed/seed_cbc.c
vendor-crypto/openssl/dist-1.0.1/crypto/seed/seed_cfb.c
vendor-crypto/openssl/dist-1.0.1/crypto/seed/seed_ecb.c
vendor-crypto/openssl/dist-1.0.1/crypto/seed/seed_ofb.c
vendor-crypto/openssl/dist-1.0.1/crypto/sha/sha1test.c
vendor-crypto/openssl/dist-1.0.1/crypto/store/store.h
vendor-crypto/openssl/dist-1.0.1/crypto/store/str_lib.c
vendor-crypto/openssl/dist-1.0.1/crypto/store/str_locl.h
vendor-crypto/openssl/dist-1.0.1/crypto/store/str_mem.c
vendor-crypto/openssl/dist-1.0.1/crypto/store/str_meth.c
vendor-crypto/openssl/dist-1.0.1/crypto/ts/ts_rsp_verify.c
vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui.h
vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_compat.c
vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_compat.h
vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_lib.c
vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_locl.h
vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_openssl.c
vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_util.c
vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_vfy.c
vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_vfy.h
vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pci.c
vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pcia.c
vendor-crypto/openssl/dist-1.0.1/doc/apps/s_time.pod
vendor-crypto/openssl/dist-1.0.1/doc/crypto/BIO_s_connect.pod
vendor-crypto/openssl/dist-1.0.1/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
vendor-crypto/openssl/dist-1.0.1/engines/e_chil.c
vendor-crypto/openssl/dist-1.0.1/ssl/d1_both.c
vendor-crypto/openssl/dist-1.0.1/ssl/kssl.c
vendor-crypto/openssl/dist-1.0.1/ssl/kssl.h
vendor-crypto/openssl/dist-1.0.1/ssl/kssl_lcl.h
vendor-crypto/openssl/dist-1.0.1/ssl/s2_srvr.c
vendor-crypto/openssl/dist-1.0.1/ssl/s3_clnt.c
vendor-crypto/openssl/dist-1.0.1/ssl/s3_lib.c
vendor-crypto/openssl/dist-1.0.1/ssl/s3_srvr.c
vendor-crypto/openssl/dist-1.0.1/ssl/ssl.h
vendor-crypto/openssl/dist-1.0.1/ssl/ssl_sess.c
vendor-crypto/openssl/dist-1.0.1/ssl/t1_enc.c
vendor-crypto/openssl/dist-1.0.1/ssl/t1_lib.c
vendor-crypto/openssl/dist-1.0.1/util/pl/VC-32.pl
Modified: vendor-crypto/openssl/dist-1.0.1/ACKNOWLEDGMENTS
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/ACKNOWLEDGMENTS Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/ACKNOWLEDGMENTS Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,30 +1,2 @@
-The OpenSSL project depends on volunteer efforts and financial support from
-the end user community. That support comes in the form of donations and paid
-sponsorships, software support contracts, paid consulting services
-and commissioned software development.
-
-Since all these activities support the continued development and improvement
-of OpenSSL we consider all these clients and customers as sponsors of the
-OpenSSL project.
-
-We would like to identify and thank the following such sponsors for their past
-or current significant support of the OpenSSL project:
-
-Major support:
-
- Qualys http://www.qualys.com/
-
-Very significant support:
-
- OpenGear: http://www.opengear.com/
-
-Significant support:
-
- PSW Group: http://www.psw.net/
- Acano Ltd. http://acano.com/
-
-Please note that we ask permission to identify sponsors and that some sponsors
-we consider eligible for inclusion here have requested to remain anonymous.
-
-Additional sponsorship or financial support is always welcome: for more
-information please contact the OpenSSL Software Foundation.
+Please https://www.openssl.org/community/thanks.html for the current
+acknowledgements.
Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Jan 28 18:44:11 2016 (r295003)
@@ -2,6 +2,30 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
+
+ *) Protection for DH small subgroup attacks
+
+ As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
+ switched on by default and cannot be disabled. This could have some
+ performance impact.
+ [Matt Caswell]
+
+ *) SSLv2 doesn't block disabled ciphers
+
+ A malicious client can negotiate SSLv2 ciphers that have been disabled on
+ the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+ been disabled, provided that the SSLv2 protocol was not also disabled via
+ SSL_OP_NO_SSLv2.
+
+ This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+ and Sebastian Schinzel.
+ (CVE-2015-3197)
+ [Viktor Dukhovni]
+
+ *) Reject DH handshakes with parameters shorter than 1024 bits.
+ [Kurt Roeckx]
+
Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
*) Certificate verify crash with missing PSS parameter
Modified: vendor-crypto/openssl/dist-1.0.1/Configure
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/Configure Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/Configure Thu Jan 28 18:44:11 2016 (r295003)
@@ -105,6 +105,9 @@ my $usage="Usage: Configure [no-<cipher>
my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
+# Warn that "make depend" should be run?
+my $warn_make_depend = 0;
+
my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
my $strict_warnings = 0;
@@ -1446,7 +1449,7 @@ if ($target =~ /\-icc$/) # Intel C compi
# linker only when --prefix is not /usr.
if ($target =~ /^BSD\-/)
{
- $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
+ $shared_ldflag.=" -Wl,-rpath,\$\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
}
if ($sys_id ne "")
@@ -1953,14 +1956,8 @@ EOF
&dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
}
if ($depflags ne $default_depflags && !$make_depend) {
- print <<EOF;
-
-Since you've disabled or enabled at least one algorithm, you need to do
-the following before building:
-
- make depend
-EOF
- }
+ $warn_make_depend++;
+ }
}
# create the ms/version32.rc file if needed
@@ -2039,12 +2036,18 @@ EOF
print <<\EOF if ($no_shared_warn);
-You gave the option 'shared'. Normally, that would give you shared libraries.
-Unfortunately, the OpenSSL configuration doesn't include shared library support
-for this platform yet, so it will pretend you gave the option 'no-shared'. If
-you can inform the developpers (openssl-dev\@openssl.org) how to support shared
-libraries on this platform, they will at least look at it and try their best
-(but please first make sure you have tried with a current version of OpenSSL).
+You gave the option 'shared', which is not supported on this platform, so
+we will pretend you gave the option 'no-shared'. If you know how to implement
+shared libraries, please let us know (but please first make sure you have
+tried with a current version of OpenSSL).
+EOF
+
+print <<EOF if ($warn_make_depend);
+
+*** Because of configuration changes, you MUST do the following before
+*** building:
+
+ make depend
EOF
exit(0);
Modified: vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade Thu Jan 28 18:44:11 2016 (r295003)
@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv
# Xlist
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
setenv FSVN "svn+ssh://svn.freebsd.org/base"
-setenv OSSLVER 1.0.1q
-# OSSLTAG format: v1_0_1q
+setenv OSSLVER 1.0.1r
+# OSSLTAG format: v1_0_1r
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
Modified: vendor-crypto/openssl/dist-1.0.1/INSTALL
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/INSTALL Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/INSTALL Thu Jan 28 18:44:11 2016 (r295003)
@@ -164,10 +164,10 @@
standard headers). If it is a problem with OpenSSL itself, please
report the problem to <openssl-bugs at openssl.org> (note that your
message will be recorded in the request tracker publicly readable
- via http://www.openssl.org/support/rt.html and will be forwarded to a
- public mailing list). Include the output of "make report" in your message.
- Please check out the request tracker. Maybe the bug was already
- reported or has already been fixed.
+ at https://www.openssl.org/community/index.html#bugs and will be
+ forwarded to a public mailing list). Include the output of "make
+ report" in your message. Please check out the request tracker. Maybe
+ the bug was already reported or has already been fixed.
[If you encounter assembler error messages, try the "no-asm"
configuration option as an immediate fix.]
Modified: vendor-crypto/openssl/dist-1.0.1/LICENSE
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/LICENSE Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/LICENSE Thu Jan 28 18:44:11 2016 (r295003)
@@ -12,7 +12,7 @@
---------------
/* ====================================================================
- * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2016 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
Modified: vendor-crypto/openssl/dist-1.0.1/Makefile
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/Makefile Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/Makefile Thu Jan 28 18:44:11 2016 (r295003)
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1q
+VERSION=1.0.1r
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
@@ -181,8 +181,7 @@ SHARED_LDFLAGS=
GENERAL= Makefile
BASENAME= openssl
NAME= $(BASENAME)-$(VERSION)
-TARFILE= $(NAME).tar
-WTARFILE= $(NAME)-win.tar
+TARFILE= ../$(NAME).tar
EXHEADER= e_os2.h
HEADER= e_os.h
@@ -501,38 +500,35 @@ TABLE: Configure
# would occur. Therefore the list of files is temporarily stored into a file
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
-TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \
- --owner openssl:0 --group openssl:0 \
- --transform 's|^|openssl-$(VERSION)/|' \
+TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
+ --owner 0 --group 0 \
+ --transform 's|^|$(NAME)/|' \
-cvf -
-../$(TARFILE).list:
+$(TARFILE).list:
find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
\! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
- \! -name '*test' \! -name '.#*' \! -name '*~' \
- | sort > ../$(TARFILE).list
+ \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
+ \! -name '.#*' \! -name '*~' \! -type l \
+ | sort > $(TARFILE).list
-tar: ../$(TARFILE).list
+tar: $(TARFILE).list
find . -type d -print | xargs chmod 755
find . -type f -print | xargs chmod a+r
find . -type f -perm -0100 -print | xargs chmod a+x
- $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz
- rm -f ../$(TARFILE).list
- ls -l ../$(TARFILE).gz
-
-tar-snap: ../$(TARFILE).list
- $(TAR_COMMAND) > ../$(TARFILE)
- rm -f ../$(TARFILE).list
- ls -l ../$(TARFILE)
+ $(TAR_COMMAND) | gzip --best > $(TARFILE).gz
+ rm -f $(TARFILE).list
+ ls -l $(TARFILE).gz
+
+tar-snap: $(TARFILE).list
+ $(TAR_COMMAND) > $(TARFILE)
+ rm -f $(TARFILE).list
+ ls -l $(TARFILE)
dist:
$(PERL) Configure dist
- @$(MAKE) dist_pem_h
@$(MAKE) SDIRS='$(SDIRS)' clean
- @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
-
-dist_pem_h:
- (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
+ @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
install: all install_docs install_sw
Modified: vendor-crypto/openssl/dist-1.0.1/Makefile.org
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/Makefile.org Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/Makefile.org Thu Jan 28 18:44:11 2016 (r295003)
@@ -179,8 +179,7 @@ SHARED_LDFLAGS=
GENERAL= Makefile
BASENAME= openssl
NAME= $(BASENAME)-$(VERSION)
-TARFILE= $(NAME).tar
-WTARFILE= $(NAME)-win.tar
+TARFILE= ../$(NAME).tar
EXHEADER= e_os2.h
HEADER= e_os.h
@@ -499,38 +498,35 @@ TABLE: Configure
# would occur. Therefore the list of files is temporarily stored into a file
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
-TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \
- --owner openssl:0 --group openssl:0 \
- --transform 's|^|openssl-$(VERSION)/|' \
+TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
+ --owner 0 --group 0 \
+ --transform 's|^|$(NAME)/|' \
-cvf -
-../$(TARFILE).list:
+$(TARFILE).list:
find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
\! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
- \! -name '*test' \! -name '.#*' \! -name '*~' \
- | sort > ../$(TARFILE).list
+ \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
+ \! -name '.#*' \! -name '*~' \! -type l \
+ | sort > $(TARFILE).list
-tar: ../$(TARFILE).list
+tar: $(TARFILE).list
find . -type d -print | xargs chmod 755
find . -type f -print | xargs chmod a+r
find . -type f -perm -0100 -print | xargs chmod a+x
- $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz
- rm -f ../$(TARFILE).list
- ls -l ../$(TARFILE).gz
-
-tar-snap: ../$(TARFILE).list
- $(TAR_COMMAND) > ../$(TARFILE)
- rm -f ../$(TARFILE).list
- ls -l ../$(TARFILE)
+ $(TAR_COMMAND) | gzip --best > $(TARFILE).gz
+ rm -f $(TARFILE).list
+ ls -l $(TARFILE).gz
+
+tar-snap: $(TARFILE).list
+ $(TAR_COMMAND) > $(TARFILE)
+ rm -f $(TARFILE).list
+ ls -l $(TARFILE)
dist:
$(PERL) Configure dist
- @$(MAKE) dist_pem_h
@$(MAKE) SDIRS='$(SDIRS)' clean
- @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
-
-dist_pem_h:
- (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
+ @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
install: all install_docs install_sw
Modified: vendor-crypto/openssl/dist-1.0.1/NEWS
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/NEWS Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/NEWS Thu Jan 28 18:44:11 2016 (r295003)
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]
+
+ o Protection for DH small subgroup attacks
+ o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
+
Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
Modified: vendor-crypto/openssl/dist-1.0.1/README
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/README Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/README Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1q 3 Dec 2015
+ OpenSSL 1.0.1r 28 Jan 2016
Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -90,11 +90,12 @@
In order to avoid spam, this is a moderated mailing list, and it might
take a day for the ticket to show up. (We also scan posts to make sure
- that security disclosures aren't publically posted by mistake.) Mail to
- this address is recorded in the public RT (request tracker) database (see
- https://www.openssl.org/support/rt.html for details) and also forwarded
- the public openssl-dev mailing list. Confidential mail may be sent to
- openssl-security at openssl.org (PGP key available from the key servers).
+ that security disclosures aren't publically posted by mistake.) Mail
+ to this address is recorded in the public RT (request tracker) database
+ (see https://www.openssl.org/community/index.html#bugs for details) and
+ also forwarded the public openssl-dev mailing list. Confidential mail
+ may be sent to openssl-security at openssl.org (PGP key available from the
+ key servers).
Please do NOT use this for general assistance or support queries.
Just because something doesn't work the way you expect does not mean it
Modified: vendor-crypto/openssl/dist-1.0.1/apps/engine.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/apps/engine.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/apps/engine.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */
+/* apps/engine.c */
/*
* Written by Richard Levitte <richard at levitte.org> for the OpenSSL project
* 2000.
Modified: vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1003,7 +1003,7 @@ static int make_ocsp_response(OCSP_RESPO
bs = OCSP_BASICRESP_new();
thisupd = X509_gmtime_adj(NULL, 0);
if (ndays != -1)
- nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24);
+ nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
/* Examine each certificate id in the request */
for (i = 0; i < id_count; i++) {
Modified: vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -79,7 +79,8 @@ const EVP_CIPHER *enc;
# define CLCERTS 0x8
# define CACERTS 0x10
-int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain);
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+ STACK_OF(X509) **chain);
int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
int options, char *pempass);
int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
@@ -594,7 +595,7 @@ int MAIN(int argc, char **argv)
vret = get_cert_chain(ucert, store, &chain2);
X509_STORE_free(store);
- if (!vret) {
+ if (vret == X509_V_OK) {
/* Exclude verified certificate */
for (i = 1; i < sk_X509_num(chain2); i++)
sk_X509_push(certs, sk_X509_value(chain2, i));
@@ -602,7 +603,7 @@ int MAIN(int argc, char **argv)
X509_free(sk_X509_value(chain2, 0));
sk_X509_free(chain2);
} else {
- if (vret >= 0)
+ if (vret != X509_V_ERR_UNSPECIFIED)
BIO_printf(bio_err, "Error %s getting chain.\n",
X509_verify_cert_error_string(vret));
else
@@ -906,36 +907,25 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
/* Given a single certificate return a verified chain or NULL if error */
-/* Hope this is OK .... */
-
-int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain)
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+ STACK_OF(X509) **chain)
{
X509_STORE_CTX store_ctx;
- STACK_OF(X509) *chn;
+ STACK_OF(X509) *chn = NULL;
int i = 0;
- /*
- * FIXME: Should really check the return status of X509_STORE_CTX_init
- * for an error, but how that fits into the return value of this function
- * is less obvious.
- */
- X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
- if (X509_verify_cert(&store_ctx) <= 0) {
- i = X509_STORE_CTX_get_error(&store_ctx);
- if (i == 0)
- /*
- * avoid returning 0 if X509_verify_cert() did not set an
- * appropriate error value in the context
- */
- i = -1;
- chn = NULL;
- goto err;
- } else
+ if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) {
+ *chain = NULL;
+ return X509_V_ERR_UNSPECIFIED;
+ }
+
+ if (X509_verify_cert(&store_ctx) > 0)
chn = X509_STORE_CTX_get1_chain(&store_ctx);
- err:
+ else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0)
+ i = X509_V_ERR_UNSPECIFIED;
+
X509_STORE_CTX_cleanup(&store_ctx);
*chain = chn;
-
return i;
}
Modified: vendor-crypto/openssl/dist-1.0.1/apps/speed.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/apps/speed.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/apps/speed.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* apps/speed.c -*- mode:C; c-file-style: "eay" -*- */
+/* apps/speed.c */
/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
* All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/apps/x509.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/apps/x509.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/apps/x509.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1170,12 +1170,7 @@ static int sign(X509 *x, EVP_PKEY *pkey,
if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
goto err;
- /* Lets just make it 12:00am GMT, Jan 1 1970 */
- /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
- /* 28 days to be certified */
-
- if (X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days) ==
- NULL)
+ if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)
goto err;
if (!X509_set_pubkey(x, pkey))
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes.h Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes.h Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes.h */
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cbc.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cbc.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cbc.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes_cbc.c */
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cfb.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cfb.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cfb.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes_cfb.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes_cfb.c */
/* ====================================================================
* Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_core.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_core.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_core.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes_core.c */
/**
* rijndael-alg-fst.c
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ctr.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ctr.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ctr.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes_ctr.c */
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ecb.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ecb.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ecb.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes_ecb.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes_ecb.c */
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ige.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ige.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ige.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes_ige.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes_ige.c */
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_locl.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_locl.h Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_locl.h Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes.h */
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_misc.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_misc.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_misc.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes_misc.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes_misc.c */
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ofb.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ofb.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ofb.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes_ofb.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes_ofb.c */
/* ====================================================================
* Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_x86core.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_x86core.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_x86core.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes_core.c */
/**
* rijndael-alg-fst.c
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bio/bio.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/bio/bio.h Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/bio/bio.h Thu Jan 28 18:44:11 2016 (r295003)
@@ -478,11 +478,11 @@ struct bio_dgram_sctp_prinfo {
# define BIO_get_conn_hostname(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
# define BIO_get_conn_port(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
# define BIO_get_conn_ip(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
-# define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0)
+# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,0,NULL)
# define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)
-/* BIO_s_accept_socket() */
+/* BIO_s_accept() */
# define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name)
# define BIO_get_accept_port(b) BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0)
/* #define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */
@@ -495,6 +495,7 @@ struct bio_dgram_sctp_prinfo {
# define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL)
# define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL)
+/* BIO_s_accept() and BIO_s_connect() */
# define BIO_do_connect(b) BIO_do_handshake(b)
# define BIO_do_accept(b) BIO_do_handshake(b)
# define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
@@ -514,12 +515,15 @@ struct bio_dgram_sctp_prinfo {
# define BIO_get_url(b,url) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char *)(url))
# define BIO_get_no_connect_return(b) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL)
+/* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and BIO_s_connect() */
# define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd)
# define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c)
+/* BIO_s_file() */
# define BIO_set_fp(b,fp,c) BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp)
# define BIO_get_fp(b,fpp) BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp)
+/* BIO_s_fd() and BIO_s_file() */
# define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL)
# define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_bio.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_bio.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_bio.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/bio/bss_bio.c -*- Mode: C; c-file-style: "eay" -*- */
+/* crypto/bio/bss_bio.c */
/* ====================================================================
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_conn.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_conn.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_conn.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -419,7 +419,7 @@ static long conn_ctrl(BIO *b, int cmd, l
{
BIO *dbio;
int *ip;
- const char **pptr;
+ const char **pptr = NULL;
long ret = 1;
BIO_CONNECT *data;
@@ -442,19 +442,28 @@ static long conn_ctrl(BIO *b, int cmd, l
case BIO_C_GET_CONNECT:
if (ptr != NULL) {
pptr = (const char **)ptr;
- if (num == 0) {
- *pptr = data->param_hostname;
+ }
- } else if (num == 1) {
- *pptr = data->param_port;
- } else if (num == 2) {
- *pptr = (char *)&(data->ip[0]);
- } else if (num == 3) {
- *((int *)ptr) = data->port;
+ if (b->init) {
+ if (pptr != NULL) {
+ ret = 1;
+ if (num == 0) {
+ *pptr = data->param_hostname;
+ } else if (num == 1) {
+ *pptr = data->param_port;
+ } else if (num == 2) {
+ *pptr = (char *)&(data->ip[0]);
+ } else {
+ ret = 0;
+ }
+ }
+ if (num == 3) {
+ ret = data->port;
}
- if ((!b->init) || (ptr == NULL))
+ } else {
+ if (pptr != NULL)
*pptr = "not initialized";
- ret = 1;
+ ret = 0;
}
break;
case BIO_C_SET_CONNECT:
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_dgram.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_dgram.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_dgram.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -515,10 +515,8 @@ static long dgram_ctrl(BIO *b, int cmd,
switch (cmd) {
case BIO_CTRL_RESET:
num = 0;
- case BIO_C_FILE_SEEK:
ret = 0;
break;
- case BIO_C_FILE_TELL:
case BIO_CTRL_INFO:
ret = 0;
break;
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -271,9 +271,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIG
}
bits = BN_num_bits(p);
-
if (bits == 0) {
- ret = BN_one(r);
+ /* x**0 mod 1 is still zero. */
+ if (BN_is_one(m)) {
+ ret = 1;
+ BN_zero(r);
+ } else {
+ ret = BN_one(r);
+ }
return ret;
}
@@ -407,7 +412,13 @@ int BN_mod_exp_mont(BIGNUM *rr, const BI
}
bits = BN_num_bits(p);
if (bits == 0) {
- ret = BN_one(rr);
+ /* x**0 mod 1 is still zero. */
+ if (BN_is_one(m)) {
+ ret = 1;
+ BN_zero(rr);
+ } else {
+ ret = BN_one(rr);
+ }
return ret;
}
@@ -579,7 +590,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBU
* precomputation memory layout to limit data-dependency to a minimum to
* protect secret exponents (cf. the hyper-threading timing attacks pointed
* out by Colin Percival,
- * http://www.daemong-consideredperthreading-considered-harmful/)
+ * http://www.daemonology.net/hyperthreading-considered-harmful/)
*/
int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
@@ -608,7 +619,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
bits = BN_num_bits(p);
if (bits == 0) {
- ret = BN_one(rr);
+ /* x**0 mod 1 is still zero. */
+ if (BN_is_one(m)) {
+ ret = 1;
+ BN_zero(rr);
+ } else {
+ ret = BN_one(rr);
+ }
return ret;
}
@@ -908,8 +925,9 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_
if (BN_is_one(m)) {
ret = 1;
BN_zero(rr);
- } else
+ } else {
ret = BN_one(rr);
+ }
return ret;
}
if (a == 0) {
@@ -1023,9 +1041,14 @@ int BN_mod_exp_simple(BIGNUM *r, const B
}
bits = BN_num_bits(p);
-
- if (bits == 0) {
- ret = BN_one(r);
+ if (bits == 0) {
+ /* x**0 mod 1 is still zero. */
+ if (BN_is_one(m)) {
+ ret = 1;
+ BN_zero(r);
+ } else {
+ ret = BN_one(r);
+ }
return ret;
}
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/exptest.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/bn/exptest.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/exptest.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -73,14 +73,34 @@ static const char rnd_seed[] =
"string to make the random number generator think it has entropy";
/*
+ * Test that r == 0 in test_exp_mod_zero(). Returns one on success,
+ * returns zero and prints debug output otherwise.
+ */
+static int a_is_zero_mod_one(const char *method, const BIGNUM *r,
+ const BIGNUM *a) {
+ if (!BN_is_zero(r)) {
+ fprintf(stderr, "%s failed:\n", method);
+ fprintf(stderr, "a ** 0 mod 1 = r (should be 0)\n");
+ fprintf(stderr, "a = ");
+ BN_print_fp(stderr, a);
+ fprintf(stderr, "\nr = ");
+ BN_print_fp(stderr, r);
+ fprintf(stderr, "\n");
+ return 0;
+ }
+ return 1;
+}
+
+/*
* test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success.
*/
static int test_exp_mod_zero()
{
BIGNUM a, p, m;
BIGNUM r;
+ BN_ULONG one_word = 1;
BN_CTX *ctx = BN_CTX_new();
- int ret = 1;
+ int ret = 1, failed = 0;
BN_init(&m);
BN_one(&m);
@@ -92,21 +112,65 @@ static int test_exp_mod_zero()
BN_zero(&p);
BN_init(&r);
- BN_mod_exp(&r, &a, &p, &m, ctx);
- BN_CTX_free(ctx);
- if (BN_is_zero(&r))
- ret = 0;
- else {
- printf("1**0 mod 1 = ");
- BN_print_fp(stdout, &r);
- printf(", should be 0\n");
+ if (!BN_rand(&a, 1024, 0, 0))
+ goto err;
+
+ if (!BN_mod_exp(&r, &a, &p, &m, ctx))
+ goto err;
+
+ if (!a_is_zero_mod_one("BN_mod_exp", &r, &a))
+ failed = 1;
+
+ if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx))
+ goto err;
+
+ if (!a_is_zero_mod_one("BN_mod_exp_recp", &r, &a))
+ failed = 1;
+
+ if (!BN_mod_exp_simple(&r, &a, &p, &m, ctx))
+ goto err;
+
+ if (!a_is_zero_mod_one("BN_mod_exp_simple", &r, &a))
+ failed = 1;
+
+ if (!BN_mod_exp_mont(&r, &a, &p, &m, ctx, NULL))
+ goto err;
+
+ if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a))
+ failed = 1;
+
+ if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) {
+ goto err;
+ }
+
+ if (!a_is_zero_mod_one("BN_mod_exp_mont_consttime", &r, &a))
+ failed = 1;
+
+ /*
+ * A different codepath exists for single word multiplication
+ * in non-constant-time only.
+ */
+ if (!BN_mod_exp_mont_word(&r, one_word, &p, &m, ctx, NULL))
+ goto err;
+
+ if (!BN_is_zero(&r)) {
+ fprintf(stderr, "BN_mod_exp_mont_word failed:\n");
+ fprintf(stderr, "1 ** 0 mod 1 = r (should be 0)\n");
+ fprintf(stderr, "r = ");
+ BN_print_fp(stderr, &r);
+ fprintf(stderr, "\n");
+ return 0;
}
+ ret = failed;
+
+ err:
BN_free(&r);
BN_free(&a);
BN_free(&p);
BN_free(&m);
+ BN_CTX_free(ctx);
return ret;
}
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia.c */
/* ====================================================================
* Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
* ALL RIGHTS RESERVED.
@@ -67,7 +67,7 @@
/*
* Algorithm Specification
- * http://info.isl.llia/specicrypt/eng/camellia/specifications.html
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
*/
/*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.h Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.h Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia.h */
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cbc.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cbc.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cbc.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_cbc.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia_cbc.c */
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cfb.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cfb.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cfb.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_cfb.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia_cfb.c */
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ctr.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ctr.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ctr.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_ctr.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia_ctr.c */
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ecb.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ecb.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ecb.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_ecb.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia_ecb.c */
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_locl.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_locl.h Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_locl.h Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_locl.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia_locl.h */
/* ====================================================================
* Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
* ALL RIGHTS RESERVED.
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_misc.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_misc.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_misc.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia_misc.c */
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ofb.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ofb.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ofb.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_ofb.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia_ofb.c */
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_utl.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_utl.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_utl.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/camellia/cmll_utl.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/cmll_utl.c */
/* ====================================================================
* Copyright (c) 2011 The OpenSSL Project. All rights reserved.
*
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/des/des_old.c */
/*-
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.h Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.h Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/des/des_old.h */
/*-
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old2.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old2.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old2.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -1,4 +1,4 @@
-/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/des/des_old.c */
/*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING The
Modified: vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ossl.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ossl.c Thu Jan 28 18:42:39 2016 (r295002)
+++ vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ossl.c Thu Jan 28 18:44:11 2016 (r295003)
@@ -187,9 +187,6 @@ static DSA_SIG *dsa_do_sign(const unsign
if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
goto err;
- ret = DSA_SIG_new();
- if (ret == NULL)
- goto err;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-vendor
mailing list